21 June 2024

Cyber Security Week in Review: June 21, 2024


Cyber Security Week in Review: June 21, 2024

The US bans Russia’s Kaspersky software due to national security concerns

The US Department of Commerce's Bureau of Industry and Security (BIS) has implemented a “first of its kind” ban prohibiting Kaspersky Lab's US subsidiary from offering its security software in the country. This ban extends to the company's affiliates, subsidiaries, and parent companies, due to national security concerns associated with its US operations. Additionally, BIS has placed AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) on the Entity List, a list of foreign individuals, companies, and organizations deemed a national security concern, subjecting them to export restrictions and licensing requirements for certain technologies and goods.

In April, the international volunteer intelligence community InformNapalm exposed close collaboration between the Russian antivirus maker Kaspersky Lab and the Russian UAV manufacturer Albatross in the development of military drones.

Russian Nobelium hackers target French diplomatic entities and public orgs

The French cybersecurity agency ANSSI said that Russia-linked state-sponsored threat actor, tracked as Nobelium, has been persistently targeting French diplomatic entities and public organizations since 2021.

ANSSI detailed that Nobelium was involved in at least five coordinated campaigns between 2021 and 2024. The targets included the French Ministry of Culture, the French Ministry of Foreign Affairs, the National Agency for Territorial Cohesion (ANCT), and several French embassies worldwide.

Chinese cyber espionage actor exploits Fortinet, Ivanti, and VMware zero-days

The China-nexus cyber espionage group known as UNC3886 has been linked to the exploitation of zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices. The threat actor has employed a sophisticated array of persistence mechanisms to maintain continuous access to compromised environments.

UNC3886’s tactics include leveraging vulnerabilities such as CVE-2022-41328 in Fortinet FortiOS, CVE-2023-34048 and CVE-2022-22948 in VMware vCenter, and CVE-2023-20867 in VMware Tools. These exploits allow the group to deploy backdoors, obtain credentials, and achieve deeper infiltration into targeted systems.

Suspected Chinese espionage actor targeted East Asian org using legacy F5 BIG-IP devices

A suspected China-nexus cyber espionage actor, named “Velvet Ant,” has been targeting an unnamed organization in East Asia in a thre-year-long cyber espionage campaign, involving the PlugX malware. The group leveraged legacy F5 BIG-IP appliances as internal command-and-control (C&C) servers to evade detection. Velvet Ant's techniques included hijacking execution flow using methods such as DLL search order hijacking, Phantom DLL loading, and DLL side loading. After initial remediation efforts thwarted the attack, the threat actor targeted legacy operating systems, particularly Windows Server 2003 systems where Endpoint Detection and Response (EDR) products were not installed, and logging was limited.

Chinese cyber espionage actors target telecom operators in Asia

Chinese cyber espionage actors have been linked to a long-running campaign targeting telecom operators in an Asian country since at least 2021, with potential activity dating back to 2020. The attackers breached multiple networks, installing backdoors and attempting to steal credentials. The tools used in this campaign, such as COOLCLIENT, QUICKHEAL, and RainyDay, are associated with groups like Mustang Panda, RedFoxtrot, and Naikon. These tools are capable of capturing sensitive data and communicating with command-and-control servers.

Void Arachne targets Chinese-speaking users with Winos backdoor

Researchers at Trend Micro have uncovered a new cyber threat group they dubbed “Void Arachne,” which is targeting Chinese-speaking users with malicious Windows Installer (MSI) files, which contain legitimate software installers for AI and other popular software. The group is leveraging compromised MSI files embedded with various applications, including nudifiers and deepfake pornography-generating software, as well as AI-based voice and facial technologies. The campaign uses SEO poisoning and disseminates malware via social media and messaging platforms.

Pro-Russian actors flooding newsrooms with fake content to overwhelm fact-checkers

Pro-Russian actors are inundating newsrooms with false information in a strategic attempt to overwhelm verification resources and amplify the spread of disinformation, new study says.

The identified scheme is part of a global ongoing operation dubbed “Operation Overload.” It involves anonymous pro-Russian actors systematically contacting journalists through emails and social media, urging them to verify suspected fake news. The goal is to stretch fact-checkers thin and to ensure the false narratives reach wider audiences, whether debunked or not.

The operation has targeted over 800 news organizations across Europe and outside of the European Union, disseminating around 2,400 tweets and more than 200 emails, with the majority of messages containing misleading links hosted on the messaging app Telegram.

Attackers use new tactics in campaign targeting exposed Docker APIs

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting publicly exposed Docker API endpoints, aiming to deploy cryptocurrency miners and other malicious payloads.

The new campaign, detailed by cloud analytics platform Datadog, bears similarities to another operation named “Spinning YARN” detected in March 2024 by cybersecurity firm Cado Security. The campaign targets misconfigured services like Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis for cryptojacking.

Cybercriminals use new social engineering tactic for running PowerShell and installing malware

A threat actor known as TA571 and the ClearFake activity cluster have been observed employing an innovative social engineering technique designed to manipulate users into executing malicious PowerShell scripts and infecting victim devices with malware. The technique, detailed by Proofpoint researchers, involves directing users to copy and paste malicious PowerShell scripts that lead to the deployment of various malicious tools, including DarkGate, Matanbuchus, NetSupport, and several information stealers.

Malvertising campaign spreads Oyster backdoor via malicious Chrome and Microsoft Teams installers

Rapid7 has detected a malvertising campaign targeting users by offering malicious installers for widely used software like Google Chrome and Microsoft Teams. The installers deploy a backdoor known as Oyster or Broomstick. Once executed, the backdoor initiates hands-on-keyboard activity, running enumeration commands and deploying further malicious payloads.

Rust-based Fickle Stealer distributed via multiple attack chain

A new Rust-based information-stealing malware called ‘Fickle Stealer’ has been discovered that is being distributed through multiple attack chains. Fortinet FortiGuard Labs reports four distinct methods of delivery: VBA dropper, VBA downloader, link downloader, and executable downloader. Some of these methods employ a PowerShell script to bypass User Account Control (UAC) and execute the malware, aiming to harvest sensitive information from compromised systems.

Highly evasive SquidLoader malware is targeting Chinese orgs

LevelBlue Labs released a report on a new highly evasive loader, named “SquidLoader,” delivered through phishing attachments to specific targets. SquidLoader, a type of malware used to load second-stage payloads onto victim systems, employs various evasion techniques to avoid analysis. First observed in late April 2024, SquidLoader likely had been active for a month prior. The retrieved sample revealed it delivered a modified Cobalt Strike payload. The actor behind SquidLoader has been running sporadic campaigns over the past two years, mainly targeting Chinese-speaking victims.

Scattered Spider hackers switch focus to cloud apps for data theft

The notorious cybercriminal group Scattered Spider, also known as Octo Tempest, 0ktapus, Scatter Swine, and UNC3944, has recently shifted its focus towards data theft from software-as-a-service (SaaS) applications. Scattered Spider has been active since at least May 2022 and is known for its sophisticated social engineering attacks. These attacks often involve SMS phishing, SIM swapping, and account hijacking to gain on-premises access. The group, primarily operating through underground communities on Telegram, hacking forums, and Discord servers, has developed a reputation for its aggressive and varied tactics.

Earlier this week, a suspected Scattered Spider boss was arrested in Spain.

London hospital hackers claim to leak stolen NHS data

The Qilin ransomware gang responsible for significant disruption to several London hospitals earlier this month has published nearly 400GB of sensitive data stolen from NHS blood testing company Synnovis, according to BBC. The data, released on Qilin's darknet site, includes patient names, dates of birth, NHS numbers, and descriptions of blood tests, along with business account spreadsheets detailing financial arrangements between hospitals and GP services and Synnovis. The gang has been attempting to extort money from Synnovis since hacking the firm on June 3, threatening to release the data if not paid. NHS England is aware of the publication but said it cannot confirm the authenticity of the data.

CDK Global warns customers of scammers amidst cyberattacks

CDK Global, US-based provider of automotive dealership solutions for auto dealers, has warned its customers about scammers posing as CDK agents or affiliates to gain unauthorized access to systems, BleepingComputer reported. This warning comes amidst the ongoing cyberattacks that have significantly impacted the company's operations.

The company first detected a cyberattack on its network on June 18. The attack forced CDK Global to shut down its customer support channels and take most of its systems offline, leading to widespread disruption. Dealerships relying on CDK's platform for tracking and ordering car parts, conducting sales, managing inventory, offering financing, and fulfilling back-office tasks experienced significant operational challenges due to the outage.

In the process of recovering from the initial breach, the company was hit with a second attack on June 19, forcing it to shut down its systems once again.

ICC investigates cyberattacks in Ukraine as possible war crimes

Prosecutors at the International Criminal Court (ICC) are investigating alleged Russian cyberattacks on Ukrainian civilian infrastructure as potential war crimes, Reuters reported, citing sources familiar with the case. This marks the first confirmation that cyberattacks are being scrutinized by international prosecutors, potentially leading to arrest warrants if sufficient evidence is gathered.

The probe is focused on cyberattacks that endangered lives by disrupting essential services such as power and water supplies, cutting connections to emergency responders, and disabling mobile data services that transmit air raid warnings.

Police shut down online infrastructure used by terrorists for communication and propaganda

An international police effort involving law enforcement authorities across Europe and the United States has dismantled critical online infrastructure used by terrorist groups for communications and propaganda. Servers supporting multiple media outlets linked to the Islamic State were taken down in Germany, the Netherlands, United States, and Iceland. In addition, Spanish authorities arrested nine radicalized individuals.

Two ViLE gang members plead guilty to hacking law enforcement portal

Two hackers pleaded guilty to conspiring to commit computer intrusion and aggravated identity theft. Sagar Steven Singh and Nicholas Ceraolo, charged in March 2023, admitted to using a stolen law enforcement officer's password to gain unauthorized access to a nonpublic portal maintained by a US law enforcement agency.

The hackers, operating under the moniker “ViLE,” concocted a scheme that involved doxing and extortion tactics to extract money from their victims. According to officials, Singh and Ceraolo gathered sensitive personal information, including Social Security and driver's license numbers, and threatened to post this data publicly unless paid to remove it. The duo employed various illicit methods to obtain personal information, which they then used to harass, threaten, or extort their victims.

Threat actor IntelBroker claims to have breached Apple, AMD

IntelBroker, a notorious threat actor, has claimed responsibility for several high-profile breaches, including the alleged compromise Apple and AMD. The threat actor has posted a message on the BreachForums forum claiming they had managed to access internal source code for three Apple's tools, including AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. As proof, the threat actor posted samples of the source code.

Additionally, IntelBroker claims to have breached AMD’s website, stealing data on future products, employee information, and customer databases. The hacker provided screenshots of purported AMD credentials and detailed the stolen data on a hacking forum, which includes product specifications, ROMs, firmware, and financial documents.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024